mirror of
https://github.com/reactos/reactos.git
synced 2024-12-29 10:35:28 +00:00
260 lines
16 KiB
C
260 lines
16 KiB
C
/*
|
|
* PROJECT: ReactOS kernel-mode tests
|
|
* LICENSE: LGPLv2+ - See COPYING.LIB in the top level directory
|
|
* PURPOSE: Kernel-Mode Test Suite NPFS security test
|
|
* PROGRAMMER: Thomas Faber <thomas.faber@reactos.org>
|
|
*/
|
|
|
|
#include <kmt_test.h>
|
|
#include "../ntos_se/se.h"
|
|
|
|
#define CheckKeySecurity(name, AceCount, ...) CheckKeySecurity_(name, AceCount, __FILE__, __LINE__, ##__VA_ARGS__)
|
|
#define CheckKeySecurity_(name, AceCount, file, line, ...) CheckKeySecurity__(name, AceCount, file ":" KMT_STRINGIZE(line), ##__VA_ARGS__)
|
|
static
|
|
VOID
|
|
CheckKeySecurity__(
|
|
_In_ PCWSTR KeyName,
|
|
_In_ ULONG AceCount,
|
|
_In_ PCSTR FileAndLine,
|
|
...)
|
|
{
|
|
NTSTATUS Status;
|
|
UNICODE_STRING KeyNameString;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
HANDLE KeyHandle;
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor;
|
|
ULONG SecurityDescriptorSize;
|
|
PSID Owner;
|
|
PSID Group;
|
|
PACL Dacl;
|
|
PACL Sacl;
|
|
BOOLEAN Present;
|
|
BOOLEAN Defaulted;
|
|
va_list Arguments;
|
|
|
|
RtlInitUnicodeString(&KeyNameString, KeyName);
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
&KeyNameString,
|
|
OBJ_KERNEL_HANDLE,
|
|
NULL,
|
|
NULL);
|
|
Status = ZwOpenKey(&KeyHandle,
|
|
READ_CONTROL | ACCESS_SYSTEM_SECURITY,
|
|
&ObjectAttributes);
|
|
ok_eq_hex(Status, STATUS_SUCCESS);
|
|
if (skip(NT_SUCCESS(Status), "No key (%ls)\n", KeyName))
|
|
{
|
|
return;
|
|
}
|
|
|
|
Status = ZwQuerySecurityObject(KeyHandle,
|
|
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
|
|
NULL,
|
|
0,
|
|
&SecurityDescriptorSize);
|
|
ok_eq_hex(Status, STATUS_BUFFER_TOO_SMALL);
|
|
if (skip(Status == STATUS_BUFFER_TOO_SMALL, "No security size (%ls)\n", KeyName))
|
|
{
|
|
ObCloseHandle(KeyHandle, KernelMode);
|
|
return;
|
|
}
|
|
|
|
SecurityDescriptor = ExAllocatePoolWithTag(PagedPool,
|
|
SecurityDescriptorSize,
|
|
'dSmK');
|
|
ok(SecurityDescriptor != NULL, "Failed to allocate %lu bytes\n", SecurityDescriptorSize);
|
|
if (skip(SecurityDescriptor != NULL, "No memory for descriptor (%ls)\n", KeyName))
|
|
{
|
|
ObCloseHandle(KeyHandle, KernelMode);
|
|
return;
|
|
}
|
|
|
|
Status = ZwQuerySecurityObject(KeyHandle,
|
|
OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION,
|
|
SecurityDescriptor,
|
|
SecurityDescriptorSize,
|
|
&SecurityDescriptorSize);
|
|
ok_eq_hex(Status, STATUS_SUCCESS);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Owner = NULL;
|
|
Status = RtlGetOwnerSecurityDescriptor(SecurityDescriptor,
|
|
&Owner,
|
|
&Defaulted);
|
|
CheckSid(Owner, NO_SIZE, SeExports->SeAliasAdminsSid);
|
|
ok(Defaulted == FALSE, "Owner defaulted for %ls\n", KeyName);
|
|
|
|
Group = NULL;
|
|
Status = RtlGetGroupSecurityDescriptor(SecurityDescriptor,
|
|
&Group,
|
|
&Defaulted);
|
|
CheckSid(Group, NO_SIZE, SeExports->SeLocalSystemSid);
|
|
ok(Defaulted == FALSE, "Group defaulted for %ls\n", KeyName);
|
|
|
|
Dacl = NULL;
|
|
Status = RtlGetDaclSecurityDescriptor(SecurityDescriptor,
|
|
&Present,
|
|
&Dacl,
|
|
&Defaulted);
|
|
ok_eq_hex(Status, STATUS_SUCCESS);
|
|
ok(Present == TRUE, "DACL not present for %ls\n", KeyName);
|
|
ok(Defaulted == FALSE, "DACL defaulted for %ls\n", KeyName);
|
|
va_start(Arguments, FileAndLine);
|
|
VCheckAcl__(Dacl, AceCount, FileAndLine, Arguments);
|
|
va_end(Arguments);
|
|
|
|
Sacl = NULL;
|
|
Status = RtlGetSaclSecurityDescriptor(SecurityDescriptor,
|
|
&Present,
|
|
&Sacl,
|
|
&Defaulted);
|
|
ok_eq_hex(Status, STATUS_SUCCESS);
|
|
ok(Present == FALSE, "SACL present for %ls\n", KeyName);
|
|
ok(Defaulted == FALSE, "SACL defaulted for %ls\n", KeyName);
|
|
ok(Sacl == NULL, "Sacl is %p for %ls\n", Sacl, KeyName);
|
|
}
|
|
ExFreePoolWithTag(SecurityDescriptor, 'dSmK');
|
|
ObCloseHandle(KeyHandle, KernelMode);
|
|
}
|
|
|
|
START_TEST(CmSecurity)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY NtSidAuthority = {SECURITY_NT_AUTHORITY};
|
|
PSID TerminalServerSid;
|
|
|
|
TerminalServerSid = ExAllocatePoolWithTag(PagedPool,
|
|
RtlLengthRequiredSid(1),
|
|
'iSmK');
|
|
if (TerminalServerSid != NULL)
|
|
{
|
|
RtlInitializeSid(TerminalServerSid, &NtSidAuthority, 1);
|
|
*RtlSubAuthoritySid(TerminalServerSid, 0) = SECURITY_TERMINAL_SERVER_RID;
|
|
}
|
|
CheckKeySecurity(L"\\REGISTRY",
|
|
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\MACHINE",
|
|
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\HARDWARE",
|
|
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SAM",
|
|
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SECURITY",
|
|
2, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, WRITE_DAC | READ_CONTROL);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SOFTWARE",
|
|
12, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ | KEY_WRITE | DELETE,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ | GENERIC_WRITE | DELETE,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, TerminalServerSid, KEY_READ | KEY_WRITE | DELETE,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, TerminalServerSid, GENERIC_READ | GENERIC_WRITE | DELETE);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\MACHINE\\SYSTEM",
|
|
10, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\USER",
|
|
4, ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeWorldSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, CONTAINER_INHERIT_ACE, SeExports->SeRestrictedSid, KEY_READ);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\USER\\.DEFAULT",
|
|
10, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\USER\\S-1-5-18",
|
|
10, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasPowerUsersSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasPowerUsersSid, GENERIC_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE, SeExports->SeCreatorOwnerSid, GENERIC_ALL);
|
|
|
|
CheckKeySecurity(L"\\REGISTRY\\USER\\S-1-5-20",
|
|
8, ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeNetworkServiceSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeLocalSystemSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeAliasAdminsSid, KEY_ALL_ACCESS,
|
|
ACCESS_ALLOWED_ACE_TYPE, 0, SeExports->SeRestrictedSid, KEY_READ,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE |
|
|
OBJECT_INHERIT_ACE, SeExports->SeNetworkServiceSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE |
|
|
OBJECT_INHERIT_ACE, SeExports->SeLocalSystemSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE |
|
|
OBJECT_INHERIT_ACE, SeExports->SeAliasAdminsSid, GENERIC_ALL,
|
|
ACCESS_ALLOWED_ACE_TYPE, INHERIT_ONLY_ACE |
|
|
CONTAINER_INHERIT_ACE |
|
|
OBJECT_INHERIT_ACE, SeExports->SeRestrictedSid, GENERIC_READ);
|
|
|
|
if (TerminalServerSid != NULL)
|
|
{
|
|
ExFreePoolWithTag(TerminalServerSid, 'iSmK');
|
|
}
|
|
}
|